The Inside Scoop on Oracle's Database Security Product Line

Wednesday Mar 25, 2015

This according to the Verizon Data Breach Investigations Report. In fact, antivirus, intrusion detection systems, and log review all pick up less than 1% of data breach incidents. Very few companies do proactive monitoring and those that do are simply troubleshooting problems they already know about. The result is that 86% of data breach incidents were ultimately detected by someone other than the victimized organization; an embarrassing statistic.

Only 35% of organizations audit to determine whether privileged users are tampering with systems. As well, for nearly 70% of organizations, it would take greater than one day to detect and correct unauthorized database access or change. With average data breach compromises taking less than a day, the majority of organizations could lose millions of dollars before even noticing.

Join Oracle and learn how to put in place effective activity monitoring including:

Cathy has an interesting background with the Department of Defense and joined Infinity with a great understanding of what is required to lock down data and secure an IT environment.
As I interviewed Cathy, I learned that the main overall issues they face include:

So they have been able to implement Oracle Advanced Security to address these security requirements without having to make any application changes. Additionally, there has been "no performance degradation whatsoever."To further put in place a defense in depth database security strategy, Infinity is also implementing Oracle Database Vault for separation of duties and least privilege.

When I asked why they chose Oracle, Cathy responded with the following:

Wednesday Dec 18, 2013

I am really excited about our new book from the Oracle Database Security team here at Oracle. Securing Oracle Database 12c: A Technical Primer, will be available as an early gift to database and security practitioners around the world this holiday season. Go pre-register for your free copy (code: db12c) of the ebook and as a teaser, here's the Introduction. Enjoy.

Introduction to Oracle Database 12c: A Technical Primer

The problem of securing important information has unfortunately become a familiar one to organizations everywhere. A constant stream of news reports tells of successful attacks that gain access to sensitive data and the legal, economic, and reputational damage that results. Even though the vast majority of sensitive data is stored in relational databases, very little of the information security effort in most organizations is devoted to making those databases secure.

While there are many technologies and products available to improve the security of a database in various ways, what is needed is a brief but comprehensive overview that describes the major threats and appropriate techniques to address them. Attackers can be expected to exploit any available weakness including incorrect configuration of security controls in the database, unpatched operating system vulnerabilities, or compromised user accounts. More indirect methods such as SQL injection or intercepting data on the network are also possible. Truly securing a database system requires consideration of any opening an attacker might use.

Each chapter in this book covers a single threat area, but they are all related. There is no single solution that prevents all methods of attack, and each security mechanism reinforces the others. Defense-in-depth is the only way to effectively combat both threats that are known today and those that will be discovered tomorrow.

We begin with security features available within the database itself.

Chapter 1: Controlling Data Access and Restricting Privileged Users describes the fundamental notions of authenticating users and controlling the data that they can access. It covers best practices for determining the access that each user requires and limiting the powers of highly privileged users.

Chapter 2: Preventing Direct Access to Data explains the use of encryption to prevent attacks that attempt to gain access to data directly, bypassing the access controls described in the previous chapter.

Chapter 3: Advanced Access Control covers more sophisticated access control mechanisms that allow for more precise control. These mechanisms include Virtual Private Database, Oracle Label Security, and Real Application Security.

Chapter 4: Auditing Database Activity describes the techniques for maintaining an effective audit trail, which is a vital defense-in-depth technique to detect misuse by privileged users and unexpected violations of the security policies implemented in the previous chapters.

We then broaden the discussion to include external components that improve the security of the database and the data it stores.

Chapter 5: Controlling SQL Input explains the use of a specialized database firewall to monitor the SQL statements going to the database. This helps to protect the database against SQL injection attacks launched by Web users

Chapter 6: Masking Sensitive Data covers the use of data masking to remove sensitive information from data that is used for test or development purposes. It also describes the use of Data Redaction to dynamically mask the results of queries on production databases.

Chapter 7: Validating Configuration Compliance describes the need to evaluate the database configuration against accepted standards and the tools available for performing the evaluation to ensure continued compliance.

Throughout the book, we highlight new features found in Oracle Database 12c. However, the majority of the solutions described in this book are applicable to earlier Oracle Database releases as well.

Tuesday Oct 29, 2013

The latest October edition of the Security Inside Out newsletter is now available and covers the following important security news:

Securing Oracle Database 12c: A Technical Primer

The new multitenant architecture of Oracle Database 12c calls for adopting an updated approach to database security. In response, Oracle security experts have written a new book that is expected to become a key resource for database administrators. Find out how to get a complimentary copy.

HIPAA Omnibus Rule Is in Effect: Are You Ready?

On September 23, 2013, the HIPAA Omnibus Rule went into full effect. To help Oracle’s healthcare customers ready their organizations for the new requirements, law firm Ballard Spahr LLP and the Oracle Security team hosted a webcast titled “Addressing the Final HIPAA Omnibus Rule and Securing Protected Health Information.” Find out three key changes affecting Oracle customers.

The Internet of Things: A New Identity Management Paradigm

By 2020, it’s predicted there will be 50 billion devices wirelessly connected to the internet, from consumer products to highly complex industrial and manufacturing equipment and processes. Find out the key challenges of protecting identity and data for the new paradigm called the Internet of Things.

Sunday Oct 06, 2013

If you attended Open World this year, you learned about the advances in Database 12c. As we collect more data and store our data in remote locations and the cloud, 12c restores control with advances to secure your data at the source. At the Chief Security Officer Summit at Leaders Circle, Vipin Samar discussed the changes in the security landscape that are forcing companies to re-examine how data is secured. The recent APT1 report by Mandiant highlights exactly how pervasive the threats are across every industry.

While the report covers the exploits of a specific government, the techniques being used are similar across the board. A recent report by the Ponemon Insitute noted that 43% of the most serious attacks are SQL injection attacks. The statistic implies that organizations are not as prepared to secure databases and that our most valuable data actually resides in our databases.

It seems almost every report on the state of IT security mentions database security. As an example, the PWC Global State of Information Security report provides a survey by region of database encryption. In North America alone, 53% of companies don't encrypt databases. Despite the threats, organizations are not fully responding.

The slides below provide a perspective on how a comprehensive approach to database security can set the foundation for preventing some of the most advanced threats. With Database Security 12c, there are several advances that organizations will want to focus on:

Wednesday Oct 02, 2013

The latest edition of Oracle Magazine, headlined with Plug into the Cloud,
gives many reasons for customers to upgrade to the latest release of Oracle Database 12c .

In the article Time to Upgrade,
Michelle Malcher, President of the Independent Oracle Users Group
(IOUG) and Oracle ACE Director, says "Oracle Database 12c is packed with
several new and enhanced security features. A great new security
feature is privilege analysis, which allows DBAs to get to the bottom of
what permissions are really needed and used. How much time is that
going to save in audit reports and managing the security for least
privilege?"

To prepare for the latest edition of Oracle Database, Malcher had
an opportunity sit down and beta test the latest features with others. During this time, we captured some of her comments,
along with other beta testers, about another new feature: data
redaction (see below video).

She goes on to say "Redaction is another security features that
is easy to implement and probably will save a lot of time previously
spent having to mask data in different environments or code solutions to
hide private data and information. Setting up a comprehensive redaction
policy for users, applications, and environments can further protect
sensitive data.

Monday Sep 16, 2013

Pre-register For Your Copy Now

With the launch of Oracle Database 12c, securing your databases is more important than ever. For a limited time you can pre-register for a new complimentary eBook and learn about Oracle Database Security from the experts who brought you the #1 database in the world.

Tuesday Aug 27, 2013

Plan for Oracle OpenWorld with the most recent Focus On Database Security content!

Oracle OpenWorld is Sept 22-26, 2013 in San Francisco and this Focus On Database Security organizes all database security content including, sessions, hands-on-labs, and demos . This document is subject to change, so check back as we get closer to OpenWorld.

Tuesday Aug 06, 2013

Designed for the Cloud, the new multitenant architecture of Oracle
Database 12c now enables customers to greatly simplify and accelerate database
consolidation by enabling the management of hundreds of databases as one. To protect
the unprecedented amounts of data customers will store within their databases,
Oracle Database 12c also introduces
more security capabilities than any previous Oracle Database release.

“Oracle
Database 12c represents a complete
shift in database technology. With the
growing amount of stored data, these new multitenant databases will be targeted
by both hackers and insiders, and scrutinized by auditors more than ever,” says
Vipin Samar, vice president, database security product development, Oracle.
“It’s imperative that customers take advantage of the new security capabilities
in Oracle Database 12c to protect
their data and database infrastructure.”

Key
new capabilities to help customers mitigate risks and address compliance
requirements include:

Data
Redaction. Part of Oracle Advanced Security, Data Redaction
complements transparent data encryption (TDE) by ensuring sensitive data is not
exposed to users of current applications. While TDE protects information from database
bypass attacks at the operating system level, Data Redaction conditionally redacts
sensitive data in the outgoing result set by replacing original data with ****
or any other fixed or random string of choice based upon the customer
requirements. Data is redacted based on
simple declarative policies that take into account rich database session
context such as IP address, program name, and application user. The original data remains unaltered along
with existing operational procedures.

Privilege
Analysis. Part of Oracle Database Vault, Privilege Analysis can harden database access by
identifying users’ or applications’ unused privileges and roles based upon the
actual roles and privileges used at runtime on production servers. Typically over time, applications and users
amass powerful privileges and roles that may no longer be necessary. Finding the set of used roles and privileges
is important because it helps identify the minimal set required and allows
unused privileges to be revoked, reducing the attack surface.

Database Vault also enables customers to realize the full
potential of Oracle Database 12c multitenant-based
consolidation by preventing common database administrators from accessing application
data stored in a pluggable database. With
three distinct separation-of-duty controls, Database Vault is critical to
regulatory compliance in multitenant environments.

Conditional
Auditing.Oracle Database 12c introduces a new auditing framework
that creates audit records based on the context of the database session. For example, an audit policy can be defined to
audit all SQL statements unless they are coming from the application server’s IP
address and with the given program name. Out-of-policy connections can be fully audited while no audit data will
be generated for others, enabling highly selective and effective auditing.

New roles have been introduced for managing audit data and
audit policies inside the database. Audit
data integrity is further protected by restricting management to the built-in
audit data management package, preventing audit trail tampering using ad hoc SQL
commands. Multiple audit statements can
be grouped together for easier management. Three default audit policies are configured and shipped out of the box.

Additionally, Oracle Audit Vault and Database Firewall now
supports Oracle Database 12c, and can be used to collect, consolidate, alert
and report on audit data from Oracle and non-Oracle databases and operating
systems. Oracle Audit Vault and Database
Firewall can also monitor Oracle Database 12c SQL activity over the network,
blocking any unauthorized activity such as SQL injection attacks, or insider
abuse.

Sensitive Data
Discovery and Management.Locating and cataloging sensitive
data is more critical than ever. Oracle Enterprise Manager Data
Discovery and Modeling (DDM) and Sensitive Data Discovery (SDD) facilitate the process
of locating sensitive data within an application and applying security controls
on that data. In addition, the new
Oracle Database 12c Transparent
Sensitive Data Protection (TSDP) can load sensitive information from Oracle
Enterprise Manager Data Discovery and Modeling into the Oracle database and
apply security controls such as Data Redaction. This greatly reduces the operational burden of
managing sensitive data consistently in Oracle Database 12c environments.

Real Application Security. Oracle Database 12c introduces the next generation authorization framework to support
the increased application security requirements in multitenant environments. Unlike the traditional Oracle VPD, Oracle
Database 12c Real Application
Security (RAS) provides a declarative model that allows developers to define
the data security policy based on application users, roles and privileges
within the Oracle Database. This new RAS-based
paradigm is more secure, scalable, and cost effective.

All the security capabilities available in Oracle Database
12c are compatible with the new
multitenant architecture in Oracle
Database 12c. As a result, customers can quickly and
efficiently address the unique security requirements of each pluggable
database. The security policies move
with the pluggable database when it is unplugged from one and plugged into a
new Oracle Database 12c multitenant
server.

Monday Jul 08, 2013

Security A Key Part of Introducing Oracle Database 12c Webcast

More information is coming out as we introduce the next edition of Oracle Database 12c, including more new security capabilities than any other release in Oracle history! During the webcast featuring Mark Hurd, Andy Mendelsohn, and Tom Kyte, you'll also hear from Vipin Samar, Vice President of Oracle Database Security as he highlights some of these new features including sensitive data redaction and privilege analysis.

Thursday Jun 13, 2013

Rabobank was faced with two major challenges: addressing international compliance requirements and protecting sensitive data from privileged database users. In this podcast, Niels Zegveld, manager of database administration, tackled these challenges using Oracle Database Vault, without impacting system performance or applications.

Being an international bank, Rabobank must comply with mulitple regulations and regulatory bodies, including the Dutch National Bank and the FSA. As part of these regulations, Rabobank had to demonstrate that employees, or applications, that have access to sensitive data are the only ones that are authorized to have access.

The requirements of separtion of duties and securing sensitive financial data were originally handed over to the security department. Their first instinct was to look at solutions that were outside of the database, however, none of the solutions were able to cover the requirements. This lead the security team to begin discussions with the database team to find out what suggestions they could offer. Niels' team was able to come up with a solution that would support all requirements and be easy to manage.

Oracle Database Vault

Working with Oracle security experts and Oracle Database Vault, Rabobank is addressing best practices of separtion of duties and least privilege while protecting sensitive data from privileged users. Niels is happy to say they have passed their audits and found that performance tests show neglible impact to their systems and users.

About Rabobank

According to Hoovers, Rabobank Group was founded as a cooperative of Dutch agricultural banks in 1898, the company has some 140 member banks that have about 875 branches in the Netherlands and dozens of subsidiaries around the world that focus on the food, agribusiness, and financial industries. The cooperative's wholesale and international retail banking arm, Rabobank International, has offices in some 30 countries.

Wednesday Jun 05, 2013

Recent successful cyber attacks against some of the most security savvy organizations have put into question IT Security strategies across all industries. The reliance on network security and user credentials have left many institutions vulnerable to attacks by insiders, outsiders exploiting stolen credentials, and SQL injection attacks. Additionally, the pervasive use of production data in non-production environments means that attackers can focus their efforts on a development or test server. Analysts estimate that less than 20% of IT Security plans address database security.

When Oracle talks about having a comprehensive database strategy, it includes defense-in-depth security controls that protect multiple layers in and around the database environment.

Preventive controls are those that are intended to avoid an incident from occurring

Detective controls help identify an incident's activities and potentially an intruder

Administrative controls are the tools that help with the process and procedures associated with database security

Tuesday May 28, 2013

Learn what one of Europe’s leading analysts have to say

KuppingerCole’s review of Oracle Audit Vault and Database Firewall discusses how this new product monitors Oracle and non-Oracle database traffic to detect and block threats, as well as improves compliance reporting by consolidating audit data from databases, operating systems, directories, and other sources. Learn about:

Strategic Roadmaps to Secure the Enterprise and Reduce Risk

As the premier gathering of enterprise IT security and risk management executives, the summit takes a comprehensive look at the entire spectrum of IT security, business continuity management and risk, including: network and infrastructure security, identity and access management, compliance, privacy, fraud, business continuity management, and resilience. This year’s summit offers five in-depth, role-based programs: